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Simple and Efficient Multiparty Computation based 
on Homomorphic Threshold ElGamal with 

Applications 



Abstract. We present new results in the framework of secure multiparty computation 
based on homomorphic threshold cryptosystems. We introduce the conditional gate as a 
special type of multiplication gate that can be realized in a surprisingly simple and efficient 
way using just standard homomorphic threshold ElGamal encryption. As addition gates 
are essentially for free, the conditional gate not only allows for building a circuit for any 
function, but actually yields efficient circuits for a wide range of tasks* 

Our results are best viewed as uniting the benefits of the Mix and Match approach 
of Jakobsson and Juels [JJOOJ and the approach of Cramer, Damgard, Nielsen. [CDN01]. 
Like [CDNOlj, we take full advantage of the homomorphic properties of the underlying 
cryptosystem by not restricting the elementary gates to work on bits only, but on. ring or 
field elements as much as possible. At the same time, like [JJOO], our results hold under the 
standard Decision Diffie-Hellm&n assumption using just homomorphic threshold ElGamal 
encryption, whereas the results of [CDN01] rely cm the use of RSA-like cryptosystems such 
as Paillier's cryptosystem. This is also of great practical significance, as the generation 
of a shared RSA modulus for the corresponding threshold cryptosytems is costly, often 
dominating the cost of an entire application* Even for the two-party case, sharing an RSA 
modulus is a non-trivial task. In contrast, distributed key generation for discrete log based 
cryptosystems is simple, and practically for free in the two-party case. 

We show that our approach leads to probably the most efficient solution to date for 
Yao's millionaires problem and many other problems, such as secure auctions, noting that 
we treat the malicious case and address fairness for the two-parly case throughout. We 
observe that our approach performs particularly well for ad hoc contacts among a large 
group of peer users, where it is important that each user needs only a limit ed amount of set- 
up information (independent of the total number of users), and the total time of execution — 
including the time for distributed key generation — lor running a protocol between any two 
users is limited as well. For example, we obtain practical protocols for problems such as 
"profile matching" , where two parties jointly test whether some function of their profiles 
exceeds a given threshold without divulging any information on their profiles. 



1 Introduction 

The manual of any programming language will cover the arithmetic and relational operators 
in one of its opening chapters. Clearly, programming languages provide complete sets of 
operators that allow us to program any computable function. For convenience and for 
efficiency, though, the set of operators is larger than required from the oomputability 
point of view. Similarly, in secure multiparty computation one often considers addition 
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and multiplication (of bits) as the basic operations from which any function can be built, 
fa this paper we sei out to devise efficient building blocks for more advanced arithmetic 
relational operators. These building blocks then allow us to quickly obtain practical 
solutions fox many non-trivia! tasks. t 1L . ^ . 

HoTomoxphic "threshold cryptosystems provide a basis for 
tion Ebr a given r^ary function /, one composes a circuit of elementary ; gates that given 
Z^iions of *, L on its input wires, produces an encryption of .... *n) on its 
3 X 5 "elenSi^v gates operate in the same fashion. The wires of the entire 
cS ^^yptedunaer the same public key; the corresponding private key a .shared 
^VJZ£+S£m. It is customary to distinguish addition gates and -ultiphcatnon 
^^AdStion gates can be evaluated without having to decrypt any value, takmgfunad- 
Sge of ^ hfmomorphic property of the cryptosystem. Multiplication gates, however^ 
^ZS at le^t one threshold decryption to succeed even for the semx-honert case. To deal 
SL maudc^case, multiplication gates additionaUy require the use of ^o-knowledge 

Pr °The elementary gates operate on bits (the field F 2 ) or on demente of ^ doj ^ 
r™^or fidds) where apparently the latter type is preferred from an efficiency pomt 
(nngs or fieldfij, wnare > app j general approach to multiparty 

fSnTC allows for very efficient arithmetic Problems that require a lot of 
S^iS^t&H* E.g., see tODOl] for recent «~ 
many problems however elementary gates operating on bits are auffioent. For ex 
i fn^S^t solutions to Yao's mfflionaires problem rely on viewing the inputs as 
ES^IKSh fuUg^Sy of the protocols in [CDNOl] is not needed, 
SlESR&ttJSl ?• form 5t homomorphfothreshold mfSL % 

nence WM „f rA j fCDNQll arfc known to exist only under KSA-UKe 

'""^.T?^^ and cryitosystems based 

assumptions (^^^^^^ Md nlber in [FH96]). We show that basically 
on quadratic ^J ™^ effidentiy handling a wide range of problems. The ma- 
*"SE2£S !£m MtaJtaS l!*£» is that distributed key generation for 
fh C Sot?v^?isreSy^e(see [Ped91,GJKR99]), while generating a shared 
S/SSto^EX just two partiesVe involved, is far from trivial. (Fbr 
oca k«£ tZmsOM) (Crypto 2002, p.431, honest-but-curious) whereas DL: 0(fc 3 )) bit 
RgA bMdbO WfM^losTi)) modular multiplications). As an additional advan- 
T^^^^olt^S^ol any discrete log setting, such as elliptic curves 

01 Sioartv computations based on homomorphic threshold cryptosystems typically 
v iTiSJ^LSSSal complexity and a low bit complexity, but a high round complex- 
^^ZSSSSSSS S (Yao's millionaires problem) our protocols 

SlSSSi k» workand communication than [JJ00.ODN01]. The price we pay 

millionaires problem the round complexity of our solution is the same as [JJ00.CDN01J, 
and likewise for many other cases the round complexity is low. 
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We observe that for many applications our approach performs particularly well for 
ad hoc contacts among a large group of peer users, whore it is important that each user 
needs only a limited amount of set-up information (independent of the total number of 
users) j and the total time of execution— including the time for distributed key generation — 
for running a protocol between any two users is limited as well. For example, we obtain 
practical protocols for problems such as "profile matching", where two parties jointly test 
whether some function of their profiles exceeds a given threshold without divulging any 
information on their profiles. 

2 Introduction 

Homomorphic encryption schemes are very attractive as they allow to make computa- 
tions with encrypted values. Some well known examples of these kind of computations 
are auctions [BauOl], the Millionaires problem £Yao82], secure function evaluation [JJOO], 
voting [?], crypto computing with xationaJs [PSW01] and secure profile matching etc. 

A basic tool in the toolbox for computing under the encryption, is a secure raultiplicar- 
tiou protocol. In [CDNOlJ a general multiparty multiplication protocol was developped. 
However in its full generality the protocols in [CDNOl] rely on threshold homomorphic en- 
cryption systems that satisfy a rather strong property: the decryption protocol is required 
to return the exact plaintext. Such cryptosystems follow from PaUlier's cryptosystem and 
its generalisations ox from cryptosystems based on quadratic residuosdty (or higher order 
residues). These systems all use an RSA modulus. There are several disadvantages to this. 
First, no discrete log alternatives are known. Secondly, obtaining threshold versions of these 
schemes are notoriously hard as generating a shared RSA modulus is complicated. 

3 The Problem 

A two-party multiplication protocol is a protocol carried out by two players. The input 
of the protocol consists of two (possibly encrypted) numbers, say cc and y. The number & 
is provided by player 1 and y is provided by player 2. At the end of the protocol, both 
players get the product fxy} as a result. Moreover they get a proof that the result was 
correctly computed and that the other player did not cheat. More specifically, we focus on 
the following situation: Both players have only an encrypted version of their input, JjbJ and 
lv\ respectively. 

We will refer to this protocol as a multiplication protocol with a shared dichotomous 
multiplier. The protocols that have been devalopped in the literature [ODN01] are very 
general but not so efficient. 

4 The solution 

The focus of the solution of this paper is on efficient multiplication protocols. General 
Secure multi-party multiplication protocols were developped in [CDNOl]- By considering 
some concrete practical situations, more efficient solutions can be obtained. 
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The scheme that we propose is based on the ELGamal cryptosystem explained elsewhere 
in this document. 



4*1 Multiplication protocols 

A multiplication protocol takes as input two encrypted values x and y, say, and produces 
an encryption of the product xy» Instead of encryptions, also commitments can be used. We 
like to use weak-homomorphie encryption schemes only. As noted above, such ElGamal- 
like homomorphic schemes do not allow for a general multiplication protocol. Therefore, 
we consider a special case for multiplication. 

If both inputs are shared, then we cannot have an efficient multiplication protocol in 
general. However, if we assume that one of the shared inputs is two-valued, an efficient 
multiplication protocol can still be constructed. 



5 The problem 

In this we provide an answer for the following problem. Two users, Alice and Bob, have 
a profile which expresses their interests in a specific item. As an example one m igh t think 
of Alice and Bob having a database of music files. They add to each song a number 
expressing how much they like it. When they meet ezufc other, they would like to compare 
their profiles without exchanging the details of their profiles. In a more abstract way, we 
solve the problem of allowing two users to compare their private data without revealing any 
other information than whether they are similar or not (according to some predetermined 
measure). 

Aa a spin-off of this solution, we describe also a few protocols for searching in encrypted 
databases (membership tests) and auctions. 

6 Homomorphic Commitments and Encryptions 
6-1 Preliminaries 

Discrete Log Setting. Let Q ~ ig) denote a finite cyclic (multiplicative) group of prime 
order q for which the Decision Diffie-Hcllman (DDH) problem is assumed to be inf easible: 
gryen g y €r G, it is infeasible to decide whether (modg). This implies 

that the discrete log (DL) problem is infeasible as well: given h = g* € R £?, it is infeasible 
to compute log^ h~ a* 

^Protocols* We briefly mention a few facts about 2?-protocols [CDS94]. A 57-pzotoeol 
is a three-move proof of lcnowledge satisfying special soundness and special honestrverifler 
zeroknowledge. In [ODN01] a method is given to generate the challenge for the I7-protocols 
jointly- We will employ the random oracle model. 
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Homomorphic ElGamal Encryption. For public key h € G, we use additively homomorphic 
ElGamal encryption, where message m € Z ff is encrypted as a pair (a, b) = (p r »p m fe r )» with 
*■ Z a . The homomorphic property is that componentwise multiplication of encryptions 
of m and m r % respectively, yields an encryption of m + m f (modulo g): 



Given an encryption (a, 6) = {$f as common input, standard techniques yield a 

proof of knowledge for showing knowledge of the (unique) witness (m,r)- (Standard El- 
Gamal encryption with encryptions of the form (g r 7 mh r ) for m € G is homomorphic in a 
multiplicative sense but lacks such a proof of knowledge.) 

We define an equivalence relation on G x G by stating that encryptions (a,b) and 
(&', V) are equivalent iff \og 9 {a/a') « log A (6/y). Using (l,g m ) 7 m s as canonical rep- 
resentatives, we use fmj to denote the equivalence class of (1,9"*). In other words, JmJ 
denotes the set of all ElGamal encryptions of m (under public key A). The operations on 
the direct product group G x <? are lifted to the equivalence classes in the usual way. The 
homomorphic property then implies that: 



Thttf* addition and multiplication by a scalar are easily accomplished. These operations 
can easily be verified when we implement these in a deterministic fashion* 

Randomization (or blinding) of ElGamal encryptions is an important primitive as well. 
This amounts to multiplying a given encryption with a random element (a, b) e A ft>J„ 
Proving that log s a = Iog fc & shows that (a, 6) is indeed an encryption of 0, 

Given the private bey a =■ Iog 0 ft, decryption is performed by calculating b/a a > which, 
is equal to for some m € 25 ff . Recovering m from g** is supposed to be hard in general, 
hence we need to view this cryptosystem with respect to a set M € % q of sufficiently small 
602© such that finding m fcom g m is feasible whenever m € M • In this paper, however, the 
size of M will be very small, often \M\ = 3. 

The ElGamal cryptosystem is semantically secure under the DDH assumption, but 
clearly it lades security against active attacks due to the homomorphic properties. 

Pedersen Commitment Given g % h € G, a commitment to message m € % q is a value 
c = g m hT 7 with r 25*. The commitment is opened by revealing m and r. Pedersen's 
scheme is unconditionally hiding and computationally binding, under the assumption that 
log 9 h cannot be determined. The commitment scheme is also additivety homomorphic, 
and we will use ((ro)) to denote a commitment to message m, where the randomization is 
suppressed* 

Threshold ElGamal Decryption. In a (*, n)-thrcshold version of ElGamal, 1 < t <; n, 
encryptions are computed w.r.t. a common public key h (as above) while decryptions are 
done using a joint protocol between n parties, each party possessing a share of the private 



(a, b) * (a', 60 (aa\ W) « g^h^). 
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key o* = log^ ft. As long as at least t parties take part, decryption will succeed, whereas 
fewer than t parties are not able to decrypt successfully. The parties obtain their share by 
running a distributed key generation protocol. See [Ped91,GJKR99] for details. 

Since we are particularly interested in two-party computation we give some more details 
fox the (2,2)-threshold scheme. Distributed key generation is achieved by having parties 
Pi,Pz first broadcast commitments a » with Oi, r € €r Z g for i 1,2, and then 

broadcast the values r* along with proofe of knowledge of log s h( 3 where hi » <k/h 9i for 
i 1, 2. The joint public key is ft = &i h 2l with private key a = a?i + as- To decrypt an 
encryption (a, 6), player P s produces = a® 1 , along with a proof that log^d* is equal to 
logg hi* The message is then recovered from b/{a\Oz). 

Clearly, (2, 2)-threshold ElQamai allows for ad-hoc use. The effort for generating the 
keys is about the same as the effort for performing a decryption. 

7 Multiplication protocols 

In de signing efficient circuits we take as much advantage as possible form the fact that 
the message space Z q is actually a field. Due to the homomorphic properties of ElGamal 
encryption, addition over Z 9 is essentially for free. The same applies to multiplication with 
a publicly known constant in In this section, we are concerned with multiplications 
where both inputs are encrypted. 

A multiplication protocol takes as input an encrypted multiplier x and an encrypted 
multiplicand y and produces in polynomial time as output an encryption of the product xy. 
The protocol should not leak any information on x t y 7 and xy. Furthermore, it is required 
that the protocol generates a publicly verifiable pxoof that the product is computed directly. 
Thus, the security of the protocols is considered for the malicious case. 

The encryptions of x t y, and xy are homomorphic ElGamal encryptions denoted by 
Mt Wit and [xy}, where it is understood that these encryptions are randomized and the 
public key for these encryptions is always the same. The corresponding private key is shared 
among a number of parties. 

If no restrictions are put on x or «/, such a multiplication protocol cannot exist under the 
Diffie-Keliman assumption. (Given g*, g v we form homomorphic ElGaraal encryptions for 
x and y respectively, The multiplication protocol would return a homomorphic BIGamal 
encryption of xy, which would give ff^ upon decryption.) Therefore, we consider two special 
multiplication protocols, putting some restrictions on the multiplier x. The first protocol, 
referred to as the conditional gate, requires that the multiplier x is from a dichotomous 
(two-valued) domain. The second protocol requires that the multiplier x is private, that is, 
known by a single party. 

B^inally, we also consider 

7*1 Multiplication with a Private Multiplier 



In this section, we present a multiplication protocol where the multiplier % is a private 
input rather than a shared input- That is, the value of 3 is known by a single party P. No 
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restriction is put on the multiplicand y. Multiplication with a private multiplier occurs as 
a subprotocol in the protocol for a conditional gate and other protocols further on in the 
paper. 

Given encryptions [rej, fy], where party P knows Or, x such that {x} = (p*, party 
P computes an encryption [xy] on its own, along with a publicly verifiable proof showing 
that the output is correct- Due to the homomorphic properties, party P can do so in a 
straightforward way — without the need for decryptions. 

Let fas] = (A, B) = where party P knows or,», and let \y\ » (<?,£>). Player 

P broadcasts tsyj ^ ^ : ~ fe*^** k 7 !?*), along with a non-interactive proof that it 
knows tx, <y such that 

This is a proof that requires 4 (rrmlti-)exponentiations for both the prover and the verifier; 
it consists of 3 values from £ a » 

A simple modification to the above protocol lets party P use a commitment (fx)) instead 
of fa?3, where (£»J) = / a ff*- Another variation is to multiply x with several multiplicands 
at the same time. In such cases, the non-interactive proofs can be done more efficiently. 

7.2 Conditional Gates* Multiplication with a Shared Dichotomous Multiplier 

Consider a multiplication operation xy where the multiplier or is from a dichotomous (two- 
valued) domain, whereas the multiplicand y is from an unrestricted do main . In tibia section 
we show that dichotomous multipliers allow for a simple multiplication protocol, to which 
we refer as a conditional gate. As will be shown later in this paper, these conditional gates 
form a very powerful primitive. 

The dichotomous domain {—1, 1} is convenient for our purposes- Domain {0, 1} or any 
other domain {a, &}, a ^ 6, can be used instead, as these domains can be transformed, 
into each other by linear transformations: x *~+ a r + (V — a r )(ar — a)/ (6 — a) maps {a, b} 
onto {a', t/}* These transformations can be applied to encryptions, transforming [rcjj with 
s € into fjf\ with x r € J/}. 

Let IMj fr] denote encryptions, where it is given that ar e {— 1, 1}- The following pro- 
tocol enables players Pi,.~,Piv, N ^ 2, to compute an encryption [a^J securely. 5br 
simplicity, we assume that the players Pi, .. ->P/y also share the private key of the homo- 
morphic encryption scheme £]. 

Stage 1 For i — l 9 ... t N % player takes fa-il as input and chooses s* e R {— 1,1}. Player 
Pi broadcasts encryptions JssJ and [s^i-il, and a proof that [s<ari_i3 is correct w*r>t* 
fa} and ffsi-ij, using the protocol for multiplication with a private multiplier. Let 

&i = S*£f_i. 

Stage 2 The players jointly decrypt [ar^J to obtain . Each player checks that ^ € {—1, 1}. 
Given a?]/ and JjjJ, the encryption ([artful i3 computed publicly. Let = x#y. 

Stage 3 For a = 1, , . . , Jv, playor P< takes jfe-i J as input and broadcasts an encryption [s^-ij, 
and a proof that |[si£|-i] is correct w.r.t. ([$<) and fo-ij, using the protocol for multi- 
plication with a private multiplier. Let a% = 5<^_ L . 
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The output of the protocol is [ar^] = {xy} . Note that the protocol requires a single threshold 
decryption only. Since xrj {—1, 1} must hold, decryption is feasible for the homomorphic 
ElGamaJ encryption scheme. As the value of x^ is statistically independent if at least 
t =3 N/2 honest players are able to complete the protocol successfully! the value of xn does 
not reveal any information on ar. 

The protocol require? roughly 2N rounds. 

Optimistic mode: run as above. 

The protocol can be made robust as follows. If a player fea$ in stage 7.2, it is simply 
discarded in the remainder of the protocol. Fbr stage 7.2, the joint decryption step is robust 
by definition. If the check x N € {—1, 1} fails, the players are required to broadcast a proof 
that $i e {—1, 1}. The players who fell to provide a correct proof are discarded, and their 
$i values are decrypted. The value of xpr is adjusted accordingly. Similarly, in stage 7,2, if 
player Pi fails to complete its step, its value s, is decrypted and the encryption fs**%_i) i$ 
computed publicly. 

Theorem 1. The protocol is correct, sound, and computational zh 

Proof. Clearly, zn = *y(Il!Li **) 2 = xy is the desired output if the parties are honest. 

The soundness of the proofs in step 7.2 ensure that x& = x n*Li 3 *- Since it is checked in 
step 7.2 that xj* € {-1, 1}, it follows from x G {-1, 1} that ]I*Li * ^ 1} Tto 
soundness of the proofe in step 7.2 ensure that z N = x^y (IliLi hence that z& = xy. 

For zero-knowledgeness, we may simulate all but one player w.l.o.g. Pi as follows. 
The simulator extracts the values s t - for i ^ 1 and simulates P\ by setting 3\ = Si/x 
(using 'compatibility' of J-| and <(•)) ...) and simulating the proof in step 7.2. Then the 
simulator is able to produce the decryption in step 7.2 as §{$2 • * % s*- Tb perform step 7.2, 
compute Isizq} as [$[zo}[x} and simulate the proof (these encryptions are computationally 
indistinguishable). 

Intuition: only a random dphertext is decrypted 

NOTE: handle threshold decryption. 

Note that we do not need that each is in {—1, 1}. We assume that at least one player is 
honest, say Pi. K N > 2, however, two of the remaining players, say Pi and P 3 , may set 
62 = 2 and s% = 1/2, such that $2$% = 1. This is harmless to the protocol. 

8 Logical gates 

Any operator on two bits x and y can be expressed in a unique way as a polynomial of the 
form: 

tto + ftia? + a*y + asxy. 

The coefficients are not necessarily binary. For example, theexclusiv©»or operator © satisfies 
x&y^x+y- 2xy. There are exactly 16 polynomials of type {0, 1} 2 {0, l}, which is 
immediate if one considers the following normal form: 

boxy + bix(l - y) H- &a(l ~ x)y 4- 63(1 - x) (l - y), 
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where the coefficients are binary. The correspondence is given by: 

at = &i — 63, 

&% = 60 — 61 *— 6& + 63. 

In general, the coefficients need not be integers either, if one works with other two- 
valued domains such as {—1, 1}. 

8-1 XOR^Homomorplxic Encryption from HomomorpMc ElGamal 
Encryption 

The well-known scheme of Goldwasser and MicaU based on the Quadratic Residuosity 
assumption [GM84] is a basic example of an xot-hoznomoxphic encryption scheme, that is, 
the scheme is homomorphic w-r.t- +). A natural question is howxor-homomorphic and 
(Zn, -t>)-homoznorphic schemes with n> 2 relate to each other. In [KMO01], the problem 
of building (Z ni +)-bomomorphic schemes from xor-homomorphic schemes is considered; 
the motivation being that not all encryption schemes are (Z n , +)-homomorphic. However, 
it is also true that not all encryption schemes are xor-homomorphic. In particular, it is 
hard to obtain a xor-homomorphic ElGamal scheme. 

As a direct application of the conditional gate, we obtain an xor-homomorphic ElGamal 
encryption scheme. Given gc) and jy] with x % y € {0, l} t we compute [soy] M follows: 

1. Publicly convert fr] t<* {ofy with x' = 2ar - 1 e {-1, 1}. 

2. Apply the conditional gate to Ja/J and §y\ to obtain tyyl* 

3. Publicly compute {x — y - s'yf , which is equal to f$ ffi #1* 

The application of the conditional gate requires a threshold decryption. However, this 
seems unavoidable for achieving xor-homomorphic ElGamal encryption. 

8*2 Fairness 

Recall that t denotes the maximum number of corrupted parties tolerated by the circuit 
evaluation protocol. So far. we have focused on the case that t < n/2, that is, the case 
of a dishonest minority, for Tyhicb the protocol achieves robustness. We now extend the 
protocol to handle the two-party case * =? n/2 = 1. 

For the two-party case we give up on robustness, as it is well-known that robustness 
cannot be achieved for dishonest majorities. In other words, one cannot prevent one of the 
parties from quitting the protocol prematurely- If a party chooses to do so, however, it 
should not gain any advantage from it. If a protocol achieves this property, the protocol is 
said to be fair. 

Now, the important observation for the above circuit evaluation protocol is that nei- 
ther party gains any advantage from quitting the protocol in phase 1 or phase 2 of the 
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protocol. la particular, consider the case that party P 2i pay, chooses to quit during the 
threshold decryption step of a conditional gate, for which parly P x already produced its 
decryption share. In that case, only P2 learns the decrypted value, but thJs value cannot 
possibly give P2 an advantage, as this value is statistically independent of the inputs to 
the conditional gate. This line of reasoning also applies to the case that many conditional 
gates are evaluated in parallel. 

To achieve feirness, we only need to protect the decryption of the output values. Fbr 
this purpose, we will apply a protocol somewhat similar to that of [BST01]. In [BSTOlJ, 
however, the protocol steps fbr achieving fairness are intertwined with the original protocol 
steps, while in our protocol the additional steps for achieving feirness axe strictly limited 
to the decryption of the output values. 

Let encryption (a, 6) be given. Recall from Section hencs that (2, 2)-threshoId decryp- 
tion, requires party jPk to provide a^ T i = 1,2. Instead of directly revealing this value, 
we will release it gradually using the following protocol, where k is a security parameter, 
k < toga cp 

1. For i = 1,2, party Pi chooses {0,l},a*j €a2 e for; = 0,..,,fc-l subject to 
the condition that Oi = Y^jZo <**?2>. Party Pi then broadcasts the values c& » af^g**, 
i~0,...,fc — 1 along with a proof that each €{0,1} (see Section hencs). 

2, Set j = k — 1. Parties P%, P% repeatedly execute the following step. For i = 1, 2, party 
Pi broadcasts values o?#, eq. If all these values verify correctly against , the value of 
j is decremented and the step is repeated if j > 0. 

3. Once j = 0 both parties release e*o along with a proof of knowledge for a witness 
Satisfying cng-*™ = a"» . 

4, Both parties are able to recover the missing value a°*, as follows: 

At each stage of the protocol, either party is at most one bit ahead of the other party, 
hence the protocol is fair. If one sets k — 80, for instance, it is clearly infeasible for both 
parties to compute the missing value a°* at step 1, as it requires a search over 2* possible 
values for d % k-i> . - , 6io- At each later step, the search space is reduced in siae by a factor 
of two. 

The protocol does not leak any information on &i beyond what is implied by the output 
values a**. The protocol can be run in parallel for decrypting multiple outputs at the 
same time, and the protocol can be combined easily with our protocol for private outputs 
presented above. 

The problem of achieving fairness for two-party computation was recently addressed in 
[?], for protocols based on Yao's "garbled circuit" approach. Our results show that fairness 
can be achieved in a simple and elegant way for any two-party computation for protocols 
based on homomorphic threshold ctyptosystems. 
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9 General Circuits 

9.1 Overview 

In our approach a circuit for evaluating an arbitrary function will be build from addition 
gates and the special multiplication gates. Clearly, this set of gates is sufficient to build a 
circuit for any function. We will show though that our get of elementary gates allows for 
particularly efficient circuits for a wide range: of problems. 

The inputs elementary gates can be any value in 2^, except that the multiplier for the 
conditional gate must be binary. 

1* Players provide encrypted inputs. 

2. Players evaluate each gate of the circuit, where the outputs are put in encryptions- 

3. Finally, decrypt the outputs. 

Perform rounds at same depth in parallel. 
9*2 Adding Fairness to Threshold Decryption 

Gradually reveal decryption of final ciphertext. Bbr n— party computations with n > 2, if 
one works with an honest majority, one achieved fairness automatically. 

Consider the two-party case* Given an encryption [afl, we wish to decrypt it in a fair 
way. Assume that (2, 2) -threshold decryption is used. Instead of providing a? 1 , a player 
will provide a**ff ft , where e {0, , . . , 2* — 1} for some security parameter ft. In addition, 
the commitments aP^g* are provided plus 0/1 proofe etc. Then they may gradually release 
the e^s. 

If the output of the protocol consists of multiple encryptions, the gradual decryption 
is run in parallel on each decryption. 

Note that the intermediate decryptions do not give any advantage to either player, 
when one of them chooses to abort the protocol. Therefore, only the final decryption needs 
to made fair using well-known standart techniques. 

9.3 Private Outputs 

Private outputs can be obtained in various ways. A well-known method lets the receiver 
blind the tipbertext (more precisely, blinding the plaintext contained in it; the receiver 
needs to prove that the blinding is done honestly, by showing that it knows the random 
plaintext used as one-time pad: prove knowledge of o?, P in h*gfi)). The blinded cipher- 
text is decrypted, and only the receiver is able to unblind the plaintext. Note, however, 
An alternative method avoids interaction with the receiver; each share of the. decryption 
is BIGamal encrypted by the players in the threshold scheme with the public key of the 
receiver, and a proof is given that the encrypted share is correct. The receiver only needs 
to decrypt the Lagrange interpolation of these encrypted shares. 
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10 Relational and Arithmetic Operators 

In this section we will apply the special multiplication gates to obtain efficient circuits for 
basic operations such as integer comparison and addition of binary represented numbers. 

10.1 The Millionaires 

In this section, we present an efficient solution for a slight variant of Yao's millionaires 
problem that allows extensions to more general situations. We assume that x and y axe 
given by their binary representations, i.e. x = (x 0 _i,... a xo) and y = (y«h-iw,yo) 
respectively. Firstly, we define a multivariate polynomial P over Z that implements the 
sign function, i.e. P(so,..^*nwi,|/o,".>3fo-x) = egn(a -y) for all a?,y*0 < x,y 9 < 2". 
Hereby sgn is defined asi 

{-1, z < 0, 
0,z = Q, (1) 
1, z > 0. 

Several polynomials can be used to implement this function. It turns out that the most effi- 
cient solution can be constructed based on the following multivariate reduction polynomial. 
Bbr x, y 6 {0, 1}, we define 

+ (2) 

Note that s 3 « s, since s € {-1,0,1}. Furthermore, it readily follows that P(0 9 sff t y) = 
sgn(ar — y) and that F(l, z, y) = 1. Fbr x, y e {0, l}° the polynomial P that implements 
the sgur-functiou is then constructed as follows, 

P(*o, • • • , *n-i, STD, - . . > &»-i) = P t • • ' (0> > Sa-b, SM-ts) • • - • > aro, Jfo) (3) 

It can be easily verified that the polynomial P(a?o, . . Zn~u Sfth - - 1 ifr^-i) computes 
sSb(2m>(** ^ Sft) 2 *)* polynomial F can be efficiently evaluated by introducing an 
auxiliary variable v = 1 - s % . Initially, we put s =* 0 and v » 1. Then, we compute: 

v.*— i/(rc — #) s . 

The repetition of this computation for all components of x tod y gives the desired result. 
Note that v — v(x — y) 2 can be computed as v(l — 3 + 2a?j/ — y). fix order to do this 
computation in a private way, one needs three basic steps, where a player multiplies Its x 
or y with a given homomorphic encryption. 

1. Player 1 computes ft>&] from Jv] and ((#)). 

2. Player 2 computes [wp] and \wey\ &om |«] reap, [vs] and ((y)) r 

3. (Both may) Compute fs + </ar — (which is the new s). 

4. (Both may) Compute {v-^vx + 2vxy — ay] (which is the new v). 
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if needed, $ can be decrypted using threshold decryption. Note that this algorithm needs 
three "multiplication with a private multiplier 11 protocols for each bit. Clearly, this algo- 
rithm has the following invariants: 

ft— 1 n— I 

The second step in the algorithm can be performed efficiently by the algorithm described 
in section ??. This approach can also be applied to the Socialist Millionaires problem to 
produce the result in encrypted form. Hence, it extends the solution described in [BST01]. 
The algorithm is based on a multivariate polynomial <Kzo,...>ffn~i.&o>- •*>Vn^i) that 
implements the function S(z) which is defined as S(Q) — 0 and S(z) = 1 for z ^ 0. The 
reduction polynomial G used to construct Q is given by, 

G[s, x, y) m (1 - (a - y) 2 )s + (a? - y)* 

where w> y, & € {0, 1}. The polynomial £ is then given by, 

<3(a?0» . . . , Sn-i>2/o> - • , tfn-.i) = G (G.~ {G(G (0, ar 0 > Sfo)) , 2ft) * - • * • (4) 

Clearly, an algorithm analogous and with the same complexity as the one mentioned above 
can be used to implement this function efficiently (with initial conditions $ » 0, j —.0). 

Forthe sake of completeness we present another solution of similar complexity as [BSTOlj. 
The playcis commit to [a?J and fjfj, respectively. The two playem jointly form jfrj, where 
r is uniformly distributed and neither of the players knows r. Using multiplication with a 
private multiplier, the players compute {(x - jr)r]| from {z}, fo] and {r}, to obtain g<?-*> 
after decryption. If gi*~v> = 1, then w.vi.p. x = y, otherwise a* # In fact, this is, very 
close to [BSTQ1], which uses (2, 2)-threshold decryption in disguise. 

10,2 Generalized Millionaires problems 

In the millionaires problem, the respective inputs x and y axe both private to the players. 
In many applications (e.g. secure profile matching), however, one or both of the inputs, will 
be shared. We show how to extend our approach from the previous section 10.1 to this 
case. 

5rom the considerations in section 10.1 it follows that if only one input Is shared, say 
a:, we can still use the multiplication with a private multiplier protocol at a few steps in 
the algorithms. Bbr the millionaires algorithm this leads to 2n private multiplier, protocols 
and n dichotomous multiplication protocols. If both inputs are shared however, we have to 
use the dichotomous multiplication protocol at all steps, giving Sn uses of the dichotomous 
multiplication protocols. 

If one input is shared say x % said the other input is a known constant T, we can do the 
following. Replace yj with Tj for j = 0, . — 1 and compute {fay —Tj}}jl£ by using the 
homomorphic properties of the encryption scheme. In this way the problem is transformed 
into the inequality a — T > 0. Then, only the computation of [vfo — 3})]J in the algorithm 
of section 10.1 has to be done with the dichotomous multiplication protocol (leading to n 
dichotomous multiplications). 
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10*5 Arithmetic Operators 

lb add two numbers x t y given by their binary representation, the respective bits are added, 
also taking the cany into account. To produce the next bit of the output we need to 
compute ft] ~ fxi + +- a-i], where Ci^i is the carry value. We have that js* = * mod 2, 
and ci = [</2j. 



If both x and 2/ are private, all of these terms can be computed using the "simple" 
multiplication protocol* We need 4 such multiplications for each bit. So, 0(n) in total, 
using rounds. If only one is private, then we need one dichotomous multiplication. If 
both are shared, then we use the dichotomous multiplication all the time. 

Similarly, multiplication of two numbers x y y is achieved by the school method. This 
requires 0{n*) bit multiplications. We omit further details* 

10-4 Inverse 

Given an encrypted value JaJ we wish to compute |X/a], assuming that x ^ D. 

Known solution (see [CDN01]): generate jointly random Jr]. Use strong multiplication 
to compute [r&J and decrypt to get rx. T£r$~Q then abort, otherwise compute Il/(r3?)J, 
Finally, use strong nullification with [r] to obtain [1/spJ. 

Using p(x) = z*~ 2 as reduction polynomial, wa get an alternative solution requiring 
log$ strong multiplications. This solution also works for x ~ 0, yielding [OJ as result. 

10.5 Zero test 

Given an encrypted value [a] we wish to test whether x = 0 or not. The result should be 
encrypted as well, so the result is ([x = 0]]. ([x = 0] = sgn(a?) 2 ) 

The reduction polynomial is p(x) = ac*"* 1 . Efficiency is 0{Lt>gq) strong multiplications* 
Let 8(x) = a?*- 1 . 

If the result need not be encrypted, then use socialist millionaires. 
Note that our solution for socialist millionaires with encrypted output assumes that the 
input values are givien bi t-by-bit. Efficiency is 0(n) dichotomous multiplications. 

10.6 Parity bit 

Given an encrypted value |xj we wish to determine the parity of x (when viewed as an 
integer in {0, . . . ,q - 1}). Wc also show how to get an encrypted answer. 

If x is private to a single player, the player proves in zero-knowledge that it revealed the 
parity of x correctly. Write x = 2x' +Xo, and create commitments for a/ and xo that can be 



Zi xt + Vi + Cf-i - 2$ { yi - 2xi*~i - 2yiCi- x -f- 4s#*Cf-i 



Ci = shy* + XiCt-i + ViCi-i - 2x&id-x 
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verified for correctness w-r.t. Prove that x 0 e {0, 1}> Prove that of 6. {0, . . - , fo— 1)/2}. 
The latter proof can be done using an efficient interval proof. 

If or is shared and sufficiently small (x. < y/q) 7 wa have the following protocol. Jointly 
generate an even random number {rj, 0 < r < g/2 (player Pi generates a random number 
0 < n < g/8, plus a proof; then take [2(ri + r 2 )J, which is an even number by 
construction.) Then decrypt |a?+r| to learn the parity of ar. Since r is from a much larger 
range than the value of x+r is statistically independent of x (only negligibly dependent). 

The above method is extended for an encrypted answer a* follows. Player P* generates 
a random {0,1} value plus proo£ Instead of decrypting fr + r]}, we now decrypt 
lx+r+s x + 3$\ and encrypt the parity of x+r+st+S2 as psbCx+si+^aJJ. Next, we use 
the 3a>j>homorphic protocol for and psb(a;) © ^ ® *a)J, then for {^J and psb(») © s^)} 
to get (pebfcr)]). 

Note that the parity of x can also be determined by computing [a?/2j and then testing 
whether the encrypted value is below (even) or above (odd) q/2> when viewed as an integer 
in {0,...,g~ 1}. 

The reduction polynomial follows from ji(x) « $dl^ l)/2 (x - 2i))~ 

11 Advanced operations 
11.1 Hamming distance 

Given two vectors x and y with entries in 25$, the Hamming distance d H (x 7 y) between rr 
and y is defined as follows 

n 

*r(*, g/) = 5j - S*>> 

where S(x) — 0 if a? = 0 and 5(s) — 1 if a? ^ 0, The goal of this section, is to compute 
securely the Hamming distance between x and y without revealing easy further information 
about x and More precisely, we assume that there are two players Pi and iV each having 
a vector, say x and y respectively- They want to compute dn{x>y) by performing a two- 
party piotocoL We denote the i-tk entry of the vector x by Xi € Z r The entries s t - can be 
represented as binary strings through the following representation: 

m 

The equality tests are done as in Section ??, using variable ft. 
At the end of the protocol Pi and P & decrypt ft. Invariant: 
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In order to compute <fa(£,y), the above defined protocol haa to be performed for every 
entry ^ yi of the vectors x and y. Denote the outcomes for the entry i by A*. Then,we 
have 

* t 

Then both players decrypt together [djr(a?, y)}. 
Details: 

In this section, we investigate the problem of computing securely the Hamming distance 
between two vectors x , y € Z£» The difference with the previous setting is that one of the 
players (say player) should after the protocol only know whether da-fr, y) > fx where fx is 
a threshold choosen by him. 

Pi and P* follow therefore the following steps: 

1. P t and Pa compute securely following the protocol given in section ?? the data f/Wj = 
P(*-tt)I- 

2. Pi and P 2 compute securely the bit representation of the sum ([ft*]. Therefore they write 
Uh 1 as ({O], |[&»]|). Then, they compute the XOR sum of the bit strings (fOj, fftij) 
for < «= 1, n- This can be done using the binary arithmetic protocols of the previous 
paragraph. Denoting the sum hi by s> this protocol ends with the encrypted bit 
representation of the sum s 3 Le. ([s n ]|, —i M). 

3. chooses his threshold /u; € computes the bit representation of fi and encrypts it, 

4. Pt and Pa carry out the ^MUIiouairos* protocol based on multivariate polynomials as 
developed above. Then, they decrypt the result of this protocoL 

11*2 Euclidean Distance 

In this section, we consider the same problem as in Section 11.1 only the Hamming distance 
is replaced by the Euclidean distance. We recall that far two vectors of length n over Z 97 
the Euclidean distance dg(z, y) is defined as 

n 

The players perform the following steps: 

1. Pi computes fc?J from its knowledge of a* and [a?»S- 

2. P 2 computes hfl from its knowledge of y% and 

3. Compute JfeJ = [a? — 2ar s ^ +- yf J. 

Finally, all the encryptions are multiplied and one obtains, 

By decrypting the result is obtained. 

For shared inputs we need strong multiplication, or use bit-by-bit representations of Xi 
and jfe. 
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11.3 Other 

Maximum and Sorting; intersection of sets, membership testis are also possible using the 
described invention. 

12 Applications 

12.1 Secure Profile Matching 

hx recent years, the availability to users of large amounts of content (audio, video, text, 
etc) in electronic form has called for the development of methods for information selection. 
Such methods are most commonly based on the idea of personalisation, where information 
ia selected for a given, user according to the profile of preferences of that user. Such systems 
are generally known as recommender systems (described by Furner). 

Collaborative filtering (described by Griffith) techniques are recommender systems in 
which the recommendation of content is based on the similarity between the profile of a 
given user and the profiles of other users (and not in the features of the content itself). If 
the measure of similarity between any two profiles is high enough (according to some pre- 
defined criterion), the system can recommend to one user the highly appreciated content, 
items of the other user, which have not yet been seen by that first user. 

Here we extend this setting to the ad-hoc case where two users can compare their 
profiles and find out whether they have a similar taste. If so, they might start a procedure 
to exchange content with eachother. If not, the protocol guarantees that no other private 
information is leaked than the fact that the profiles are not similar. 

In this section, we will give a few similarity measures for profile matching and show 
how the private matching problem can be solved using the techmquej* developped in the 
previous sections. 

12.2 Similarity Measures 

In this section, we show how to apply our techniques to the case of two users who want 
to compare their profiles in fully private way. Prom an application point of view, the main 
focus point of our approach is to allow for ad-hoc use. By private comparison of two profiles, 
we mean that the users compute securely a beforehand agreed testfunction. In a second 
phase they compare this (encrypted) value securely with a threshold; i.e. at the end of the 
protocol, the only knowledge the players get is whether the value of the testfunction exceeds 
the threshold or not. The participants are assumed to have an authenticated channel with 
each other. Bbr sate of clarity we will restrict ourselves to the case where the private 
profiles of the users consist of binary vectors denoted as z and y but extensions to non- 
binary vectors aro also possible. 

A first measure for comparing two vectors is given by the number of entries in which 
they differ. This measure can be defined in terms of the Hamming distance A\ (ar, y) between 



17-17 PHILIPS CIP ML «» 024 03.1X.^- - 

3. NOV. 2003 17-1? rnx 

PHNL031322EPQ 

1ft 03.11.2003 



16 



two vectors x, y € {0, 1}" which ip given by. 
ia this paper is the scalar product defined as, 

A (6) 

. A __ j A „ r(m K e computed and compared to a 

The goal of this section is to ^^^fof f ^performed by running the 
thresholdinaprivate way. ^^^f^^toXld decryption to decrypt the 
private multiplier »^pl^^ 3so Wd oTthe private multiplier multiplication 
result. The private computation of A» is ateo ^>as * J ElGamal crypto system. 
Utocol of section 7.1 and *e ^^£SS^ 5*L *(«.») > J* ** « - 1,2 
A more interesting situation has to be solved in a private way. 

and a a threshold choosen by one or both of the JJJJ*" ™ B s We preseil t a protocol 
W^^^Miegiven^b^ atialogou& ^ 

described in section ??. nlavera compu te securely {*] = - 

Ste fflulUplisr multiplication protocol d 7. I. ^ 

4 £^r?£X1Es& »— * - — iM - w - »» *■* 

pxoblcfii. 



privacy. 

12.3 Auctions 



12.3 Auctions broach, we investigate a second ap- 

fc order to ®«^^e jf^^SSta with those of R as they 
plication: secure auctions, we wiu 
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presented the most efficient auction protocol this far, Their approach is based on the Mix 
aad Match technique introduced by Juel$ and Jakobsson in [JJGO]. We show that our ap- 
proach belongs to the fastest known (thus far) and is the fastest in computational sense. 
By using our multiplication protocols we avoid the relatively computationally expensive 
Mix computation. Our protocol satisfies the same advantages as formulated by Juels and 
Jakobsson [JJOO], in particular it satisfies: non interactivity, auction adaptiblity, full pri- 
vacy, robustness, multiple servers and public verifiability. 

An auction consists of two phases: a bidding phase during which the participants 
send their bids to the auctioneer, and an opening phase during which the auctioneer an- 
nounces the highest price and the identity of the winner. We assume the following model. 
There axe m bidders, Pi,-.-,P m . the bids axe given by = (a?i,n-i>^., #1,0)2,- = 
(# m , n -i 1 - — , £m,o)2' Note that the representations are ordered from msb to leh. The bidders 
encrypt their bids with the joint public key of the servers, and send those to the auctioneer; 
{Xi} — (fjr»,n-il» - - - *fo J)- There are k servers. We will describe our method for highest 
price auctions and discuss briefly how it can be extended to Vickrey (second-price) auctions. 

We construct an algorithm for determining the identity of the highest bidder. This 
algorithm is used by the servers to determine securely the highest bid and the identity of 
the highest bidder(s) . Therefore, we define a set of n ■+ 1 selection: vectors Wi e £0, l} m , i 
— 1, . ,n — 1 that keep track of the identities of the highest bidder up to bit i (starting 
from the msb). The algorithm starts with the vector w n ~i and the identity of the highest 
bidder is contained in the vector In order to give the dynamics that updates wi to 
Wi^u we define a second set of vectors tf e {0 ) l}* n+l i ~ G,...,n — ■ I. The vectors 
check whether the vector xjwj equals the zero vector. We denote the jf-th component of 
the vectors by f^tt The initial condition for the t vectors is given by, « 0 
for j = 0, . . . , n — 1 and for the ^vectors is given by Wn-i =■ (1, •..,!). We define the 
polynomials JP(s, z) == 3 + (1 — s)z and G a (s> z) = + (I — ^)(1 — a)). The dynamics is 
then defined by the following updating rule, 

Wj>-1 — °W 

for i starting with i = n — 1 and for each £, the counter j runs from 1 

to m. Note that tm$ ~ 1 means that at least one of the components of the vector XjW s 
equals one. In order to compute the vector uui securely, the servers use the generalised 
millionaires protocol of section ?? based on the conditional gate. When the vector has 
been computed securely, the servers use fair threshold decryption to decrypt the entries 
of the vector w~i~ The identities of the winning bidders correspond to the positions of 
the entries of w~\ that are equal to one. Using this identifier, they can find the corre- 
sponding highest bid and use threshold decryption to decrypt it. In order to evaluate the 
performance of our protocol wc start by omitting the verification computations. The com- 
putations require Zmn dichotomous shared multiplier multiplication protocols; i.e. 51 mn 
exponentiations per server. The fastest auction protocol up to now is based on the Mix and 
Match approach and described in [?]. Their protocol requires mn AND gates. Adding all 



NOV. 2003 1?:18 PHILIPS CIP NL +31 40 2743489 

PHNL031322BPQ 



■'NR. 275' -P.2G/Sfcr 
026 03-11-2003 16: 



20 03.11.2003 

20 

exponentiations for a secure evaluation of the AND gate, consisting of the exponentiations 
for threshold decryption, four PETs (Plaintext Equality Test), a MIX protocol together 
with the necessary Zero-Knowledge proofe, amounts to 151 mn exponentiations. Hence, the 
protocol proposed in this paper is three times as fast as the protocol given in [?], which 
on its turn is seven times faster than the Mix and Match approach of [JJOO]. Taking the 
verification efforts into account an extra factor k has to be added. Finally, we mention that 
the total number of rounds for the servers computations is given by 3 mnk. 

Now, we return to Vickrey auctions. We remind the reader that a Vickrey auction is an 
auction where the highest bidder wins but the clearing price, i.e. the price that the winner 
has to pay, is equal to the second highest bid. In order to perform a Vickrey auction, one 
can follow the following approach. First the servers determine the identities of the winners 
(but not the winning bids) with the protocol given above. Then, they remove the winners 
and their bids from the list. Finally, they evaluate the following set of polynomials, 

for j =s= n— 1, . ■ . , 0 and where F is as defined above. The vector p = (pia-i, . . . , pt>) contains 
then the maximum bid price. Note that this procedure adds only mn conditional gates, 
i.e. 17mn exponentiations. The approach of [?] yields 2mn AND gates which gives 300 mn 
exponentiations. 

12.4 Applications: Membership tests 

We will very brief about this topic. The main question is to check securely whether an 
encrypted element [x] belongs to a certain set A. The set A consists of encrypted values 
only- 

By applying the techniques earlier mentioned in this document, this problem can he 
tackled too. 

IS General (Strong) Multiplication 

Given two homomorphic encryptions j[tcj, {y} the object is to compute a homomorphic 
encryption fx#J. We use a protocol from [ODNOll- 

1. Player P< chooses a random value n and sends jfo] to player along with a proof 
that it knows r», for £ — 1,2. 

2. The players jointly decrypt {z + *i -f r a J. 

3- Let xx ~ x -t- r 2 , %% « -r 2 . Player P< sends (/J %[6J to player P*-* along with 

a proof, for % = 1, 2. 
4. Both players may compute £fj + [/ 2 | — {xy}. 

If any of the proofs foils, the protocol is aborted. 

The protocol takes a constant number of modular exponentiations* Here's an exact 
count in case Paillicr's cryptosystem is used. 
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1 r,l „ „ t Suppressed rtaa to a^,^ 

f ^^dge of r<: another one. 

3. Verification of proof: another one 

4. Decrypt per player: one exponentiation. 

Buchdean Astance as a measure of similarity ^r^J^V*** distaoce «• the 
length n, the Euclidean distance ^^K^ 1 ** for *"* ***** * yrf 



1. Player 1 computes fcgf for aU i - 1 „ fc , ^' 

2 computes fj^J for aELz = 1,.. m of the Similarly player 

Both players compute faf s fa* L 9» „ ^ ^ r™. 

t t° s ^ ~ MftoSt^S SSSJfT 1 6ends W *» Player 2 
3 88 ^ ™«* * the computation: of ^ UBed tie co ^ct ^ie. 

encryption scheme as follows, "««mg use of the homomorphic properties of the 

4. By usmg feir threshold decryption, the result is obtained. 

* & that situation^oiS p^ 
inputs and compute in binary represW^n+Il , 6 blnary ^Presentation of their 
compute the binary represeuTa^^Tfw^r ^ ° UtCMnes N- Sen, tW 
m ^ Previous section. Then, Sey latrTouftn? SK? -T - 3^2 

far, e/i = Ida ggft 

^ WW 

•~ ^^KtSK,'*! - vim - ha 

**&J ^ be computed using 
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the homomorphic properties of the El Qamal encryption scheme. Using the hoinorpbic 
properties once more, one obtains l(x } y)J. Finally, the value is obtained by applying (fair) 
threshold decryption and by extending the technique of [FSW01] to deal with rational 
numbers to the Ei Gamal case. 

In order to solve the associated decision problem, i.e* to decide whether (as, y) > # for 
some xveU defined threshold /± all computations have to he done in the binary representation 
as explained before. Moreover as 0 < fi < 1, it looks favorable to solve the following 
associated decision problem: ^SSUsrf/i £ IMillvll- rrSiea the "MilUonaires ,? protocol of 
section 10.1 has to be applied. Finally, the result is obtianed by applying (fair) threshold 
decryption. 
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lTTumer 

It should be noted that the above-mentioned embodiments illustrate rather that) limit 
the invention, and that those skilled in the art will be able to design many alternative 
embodiments without departing from the scope of the appended claims. 

In the claims, any reference signs placed between parentheses shall not be construed as 
limiting the claim. The word "comprising" does not exclude the presence of elements or 
steps other than those listed in a claim. The word "a 1 * or " an" preceding an element does not 
exclude the presence of a plurality of such elements. The invention can be implemented 
by means of hardware comprising several distinct elements, and by means of a suitably , 
programmed computer. A single processor or other (programmable) unit may also fulfill 
the functions of several means recited in the claims. 

In the device claim enumerating several means, several of these means can be embodied 
by one and the same item of hardware. The mere fact that certain, measures are recited in 
mutually different dependent claims does not indicate that a combination, of these measures 
cannot be used to advantage. 



3. NOV. 2003 17:19 I 
PHNL031322EPQ 



PHILIPS CIP NL +31 40 E743489 



— NR. 275* . P. 30/30 
030 03.11-2003 1 



24 



03,11.2003 



24 



Claims 



1. Method for multiparty computation, substantially as described above. 

2. Method for allowing at least two users to compare their private data without revealing 
any other information than whether they are similar or not, according to some measure. 

3. Method for at least two users to obtain the product of two possibly encrypted numbers 
and optionally a proof that is was correctly computed and optionally that the other 
player did not cheat. 

4. Device to support or implement any of the methods of claims 1-3* 

5. System to support or Implement any of the methods of claim 1-3. 

6. Signal carrying protocol information related to the protocols of claim 1-3. 



